One approach to the problem of data theft is to reduce the value of stolen data. For example, if it is not possible to use stolen credit card numbers to make purchases, the value of that stolen data is greatly reduced. Doing this involves making significant changes to how people do business, but I believe is should be a long-term goal.
The original intention of credit and debit cards was that the card would have to be physically present for a transaction. However, "card holder not present" transactions are now allowed, to enable use over the phone and Internet. One protection for these transactions is to only deliver to the billing address. However, sometimes it's desirable to deliver to other addresses (e.g. for gifts) and sometimes there is no physical good to deliver (e.g. purchasing funding for a PayPal account).
Given this, someone who knows a credit (or debit) card number, and associated details such as card holder name and expiry date can potentially use that information to make purchases. There are several precautions against such abuse:
Despite all these precautions, stolen card details can still be used to make payments. This is primarily because controls aren't universally applied, e.g. verified by Visa doesn't apply to phone transactions. And ultimately, this is because card issuers don't want to hinder legitimate users. If fraud problems become worse, they may be more willing to do so.
Many payment systems have potentially similar problems, e.g. direct debit, a UK system to take money directly from bank accounts. However, these are not attacked on such a wide scale.
What I mean by "identity theft" is applying for an account in the name of someone else. Currently, this is relatively easy to do knowing fairly basic personal information on the victim.
For example, To open a credit card account, you need to provide various bits of personal information (name, DOB, address, etc.), pass a credit check, and receive the credit card at a nominated address. If you have someone else's personal info, you can use this on an application, giving their current address as the previous address. Use an address you can access (but is not traceable, e.g. an empty house) as the current address. The application will pass the credit check on the other person's credentials and the card will arrive at the address you control. At this point you can use the card and forget all about the bills.
This problem is somewhat harder to fix that the card fraud problem, primarily because the organisation handling the application doesn't have an existing relationship with the customer. If they wanted to speak to the customer to verify the application, they only have contact information provided on the form, which has been submitted by the identity thief.
Some tactical steps may help, for example, risk assessing applications and subjecting some (e.g. recent change of address) to particular scrutiny. Consumers can at least be alerted when this occurs by subscribing to credit monitoring services. Attempts to fix the problem more generally tend to rely on an organisation being the overall authority for people's identity, for example: